Four independently-owned Canadian Tire affiliate stores in British Columbia that installed facial recognition applications for security broke the province’s privacy law, B.C.’s information and privacy commissioner has ruled.
“The investigation showed that the stores did not adequately notify customers and did not
obtain consent for the collection of personal information using FRT (facial recognition technology),” Commissioner Michal McEvoy said in a ruling released today.
Even if customers were properly notified their images were being captured, the stores didn’t demonstrate to the commission there was a reasonable reason for collecting the images, he added.
“In my view, retailers would have to go some way to legally justify the collection of biometrics from everyone who enters their premises,” McEvoy said. “As a democratic society, we must proceed with caution, or not at all in many cases, when it comes to FRT.”
The report also calls on the province to close a hole in the Security Services Act, which regulates the sale of closed-circuit TV but not facial recognition and other biometric solutions. These applications are now sold and used in B.C. without parameters, controls, or accountability, the report says. “These technologies are far more intrusive than other security solutions that government currently regulates. Companies and individuals who provide FRT and other biometric solutions should be subject to oversight, just as government controls CCTV and alarm companies.”
In addition, the provincial private-sector privacy law should be amended to force firms to notify the commissioner they intend to provide or implement any technology product or service that involves the collection, use, or disclosure of biometric information. This would follow a similar obligation in Quebec.
The use of facial recognition technology by police and the private sector has come under heavy attack. In 2020, the federal privacy commissioner ruled mall developer Cadillac Fairview collected 5 million shoppers’ images without their knowledge or consent in an information kiosk, with the goal of analyzing their age and gender.
For almost four years, starting in 2018, systems in three B.C. Canadian Tire affiliates collected facial images or videos of individuals entering the stores. The fourth store installed its system in 2019. Biometric templates from those faces were created and compared to a database of previously collected photos and biometric templates of persons of interest who had allegedly been involved in incidents at nearby Canadian Tire stores, the report said.
If there was a match, identity had to be verified by management or security personnel before action was taken. If a prior incident included violence, management or security staff would escort the individual from the store. If the prior incident involved theft, management may have chosen to surveil or remove the person.
If images didn’t match they were stored in a “Visitor” database and overwritten (erased) after 30 to 60 days. When the systems did generate a match, images and facial biometrics were manually uploaded and stored in the Persons of Interest database, for two years in one system and indefinitely, until manually deleted, in another.
As soon as the stores learned the privacy commissioner was investigating in November, 2021, they pulled the systems and wiped the servers. That didn’t stop the investigation.
Canadian Tire doesn’t have a rule allowing dealers to install surveillance technology, the report notes. The use of facial recognition applications in the three stores was done by each store’s manager. Canadian Tire had no access to any of the systems or data.
In a statement after the report was released, the company said it is vigilant about data protection and privacy. “Facial recognition technology is not used at any corporate-owned stores or offices. While Canadian Tire stores are independently owned and operated by Associate Dealers, the corporation and the dealers have mutually agreed to prohibit the use of facial recognition technology in Canadian Tire stores. Customers can remain confident that regardless of where they shop across our group of companies, their privacy will be protected.”
Three of the stores used FaceFirst as their FRT system. One store also used AxxonSoft, which included a standard FRT system as well as a returns desk verification system.
“Each store manager said that they purchased their FRT system after a vendor presentation and without first conducting a feasibility assessment or a privacy impact assessment, or otherwise considering the privacy rights of individual citizens,” the report notes.
B.C.’s Personal Information Protection Act (PIPA) governs how organizations collect, use, and disclose personal information. It requires organizations to process personal information in a manner that recognizes both the right of individuals to protect their personal information and the legal obligation to only process personal information for purposes that a reasonable person would consider appropriate in the circumstances.
The report notes the FRT systems created two distinct forms of personal information as visitors entered the stores: collected images or videos of their faces and facial biometrics rendered from those images.
Stores would have been required to notify and obtain consent from individuals for each type of collection of personal information by the facial recognition system, the report says, as well as tell them images were being collected by the stores’ separate surveillance system.
Notices posed by the stores such as “these premises are monitored by video surveillance that may include the use of electronic and/or biometric surveillance technologies.” and “facial recognition technology is being used on these premises to protect our customers and our business” were either too broad or insufficient, the commissioner ruled.
One store’s sign said in part that “video surveillance cameras and FRT (also known as biometrics) are used on these premises for the protection of our customers and staff.” But, the commissioner said, “FRT” wasn’t defined. “That is an important oversight because the
abbreviation is not yet well-known or widely understood,” the commissioner wrote.
“All four stores stated that they obtained implicit consent to collect personal information from individuals entering their locations,” the report says. “However, the purposes for collecting facial biometrics would not have been obvious to an average customer, including the creation of the persons of interest database. The stores are therefore unable to rely on implicit consent.” Explicit consent is needed for facial recognition technology, the report says, because the personal information captured is sensitive.
“Obtaining explicit consent in a retail environment would undoubtedly be a significant
undertaking. But such an undertaking is both necessary, proportionate, and commensurate
with asking people to hand over to a retailer extraordinarily detailed and sensitive personal
information.”
Another flaw is that the stores didn’t offer any proof of the effectiveness of facial recognition in halting theft, McEvoy added. “Organizations — especially when considering collection of highly sensitive personal information — should have a clear idea of how to measure their stated purposes in order to assess continued effectiveness and demonstrate compliance” with PIPA.
Besides, the report adds, managers told investigators the people they were looking for were often professional thieves they recognized, who repeatedly returned to a targeted location.
“Arguably,” the report says, “the stores gained little by employing FRT on top of less-intrusive alternatives already in place. At most, FRT might alert store staff to a known suspect a little more quickly than might otherwise be the case.”
The report doesn’t say facial recognition can’t be used in retail stores. But it does say the four stores investigated should have:
- documented organizational expectations and limits for the collection, use, and disclosure of personal information in fulsome privacy policies;
- conducted risk and feasibility assessments in advance of implementing new systems that collect or contain personal information;
- ensured contracted services align with organizational privacy policies;
- monitored compliance with the law and organizational expectations.
“This report documents what can go wrong when organizations lack effective, accountable
privacy management programs,” the report says. “Privacy management programs aid organizations in meeting their legal obligations by setting out roles and responsibilities … Implementing accountable privacy management programs would have provided frameworks against which the stores could have critically analyzed whether to acquire the FaceFirst and AxxonSoft FRT systems as a security measure in the first place. In addition, even though the stores have removed their FRT systems, having a robust privacy management program would enable them to be better equipped to evaluate and protect other personal information they collect.”
